Bali Public Bug Hunter
Aims to help the team find bug problems to close security gaps for the entire existing
system.
Some things that can be reported in accordance with applicable regulations are data
breaches, access to data, outages and performance issues.
What's
in coverage?
SecurityVulnerability
DataAbuse
BugVulnerability
PublicReports
Reward & Bounty
Bali Provincial Government Bug Bounty values the efforts of security researchers
and acknowledges their contributions with Certificates of appreciation. These
certificates are awarded for valid vulnerabilities identified within the specified
scope, with evaluation and issuance at the discretion of the Bug Bounty
Team. We are committed to prompt communication, thorough evaluation, and
maintaining confidentiality throughout the process.
Overall Risk Severity
Likehood Factors
- Skill Level
- Motive
- Opportunity
- Size
- Ease of Discovery
- Ease of Exploit
- Awareness
- Intrusion Detection
Impact Factors
- Loss of Confidentiality
- Loss of Integrity
- Loss of Availability
- Loss of Accountability
- Financial Damage
- Reputation Damage
- Non-compliance
- Privacy Violation
Researchers Scope
In Scope Properties
We recommend that security researchers share the details of any suspected vulnerabilities
within the domain *.baliprov.dev using the provided reporting form. The Bug Bounty
team will acknowledge receipt of each vulnerability report, conduct a thorough
investigation, and take appropriate action for resolution. The following is a list of
allowed scopes:
- Investasi PIKBS
- Kantor Virtual Publik
- Bulan Bung Karno
- SIGENTING
- SIKUAT
- E-Prestise (Portal Perizinan Provinsi Bali)
- Bali Satu Data
- Love Bali
- EventID
- Website Pemerintah Provinsi Bali
- App Write Pemerintah Provinsi Bali
- SIKRAMAT (Sistem Informasi Manajemen Kependudukan Desa Adat Terintegrasi)
- Pameran Virtual
- BMC
- JDIH DPRD
- API Nyomia
- Kelas Virtual Bali Melajah
- SISNAKER (Sistem Ketenagakerjaan Pemerintah Provinsi Bali)
- SIGAPURA
- DSDP (Denpasar Sewerage Development Project)
- DIGIFEST
- SIMPELKAN (Sistem Pelayanan Perikanan Pemerintah Provinsi Bali)
- SIK KBS
- TJSL (Tanggung Jawab Sosial dan Lingkungan)
- Bug Bounty Provinsi Bali
- SIWALATRI
- JIDHAT
- Sistem Aset Pemerintah Provinsi Bali
- Antrean
- SSO Pemerintah Provinsi Bali
- Turyapada Website
- Sipandu Beradat
In Scope Vulnerability
Types of vulnerabilities that are NOT INCLUDE in the scope of
reporting, please do not test and/or report the types of vulnerabilities mentioned
- DOS / DDOS
- Self-XSS
- Vulnerabilities that are only theoretical are a sign of evidence.
- Missing Security Header
- Social Engineering
- Cross-site Request Forgery (CSRF) on features that are non-sensitive or have minimal impact, such as Logout CSRF.
- Clickjacking on insensitive pages.
- Email Spoofing and/or related email misconfigurations such as DMARC and SPF Records
- SSL/TLS best practices
- Open port with no valid impact
You are
the eyes of Bali
Aims to help the team fix bug problems to close security gaps for the entire existing system
Report a Case
the eyes of Bali
Policy and Rules of Engagement
Bug Bounty Rules
- Comply with all applicable terms & conditions.
- Do not carry out tests that can cause interference with the activities of legitimate application users, for example changing, accessing and/or interacting with other user accounts without the consent of the account owner.
- Do not carry out tests that can cause disruption to the electronic system services being tested, for example carrying out Denial-Of-Service.
- Do not further exploit the vulnerabilities found, even if the aim is to represent the greatest risk. For example by exfiltrating data, changing configurations, pivoting to other systems, and so on. It is sufficient to perform a Proof-Of-Concept to ensure the vulnerabilities found are valid.
- Do not publish any vulnerability information without the approval of the Bali Provincial Government Bug Bounty organizers, as outlined in the Publication Policy.
- Report any signs of compromise, data leaks, or unavailability of the electronic system services being tested (Denial of Service) to the relevant parties involved in the bug bounty program.
Reporting Bug Rules
- Participants report vulnerabilities only through predetermined communication channels, in this case through the bugbounty.baliprov.go.id website
- Report vulnerabilities in detail, according to the format and conditions that have been determined.
- Testing may only be performed on the explicitly specified target electronic system of any vulnerability finding program.
- Please ensure your submissions are within the defined scope and rules; only vulnerabilities related to the domain *.baliprov.dev will be accepted. Submissions outside this scope will not be considered.
- When submitting a vulnerability report, please ensure that your full name is included in the submission. This is crucial as the name provided will be used to issue the certificate of appreciation from the Bali Provincial Government.
Form Report A Case